Google+ data breach: What you need to know

It certainly feels that way after the search giant admitted late Monday that roughly 500,000 people who use Google+, its much-maligned social networking service, may have had their data illegally shared without their consent with up to 438 outsider developers.

That, in itself, doesn’t look good. But the company — which discovered, and fixed, the glitch that allowed the data to be illegally shared in March this year — decided not to tell anyone, neither users nor national regulators.

The Wall Street Journal broke the story, and claimed that a committee inside Google feared the revelation would paint the company alongside Facebook, which had just suffered its own data scandal with Cambridge Analytica, a British data firm.

Here's what you need to know about the Google+ data breach:

What does this all mean? For one, Google is shutting down (or "sunsetting," in Googlese) its consumer version of the product, which, to be honest, was used about as much as MySpace and Friendster in their time. Google said that no one’s personal data ( such as email address, gender and age) had been misused, and that it was making changes to its other data collection practices to reduce the likelihood of further problems.

That’s all well and good, but: By not informing regulators (Google fixed the problem in March, so Europe’s new privacy standards, known as the General Data Protection Regulation, or GDPR, with its potential blockbuster fines, don’t apply), the search engine looks less than forthright. It may claim that no data was mishandled, but that’s not going to cut it with regulators who are already on the warpath over how tech companies collect and use reams of our personal data.

Initial reactions: At first, politicians on both sides of the Atlantic were slow off the mark. But early Tuesday, officials started the drumbeat of protests about Google's lax data protection standards. Guy Verhofstadt, a senior member of the European Parliament, called on Sundar Pichai, the company's chief executive, to testify before Brussels lawmakers (that's not very likely). "It's time we tame these tech monsters once and for all!" Verhofstadt wrote on Twitter in his usual mild-mannered way.

Not everyone, though, is casting blame solely on Google. Mounir Mahjoubi, France's digital minister, said the country's citizens should take a hard look at how tech companies collect and use their personal data. “We have to realize that today our personal data are not protected properly and they can leak,” Mahjoubi told French radio.

Expect investigations: So who's going to throw the book at Google? In the U.S., the Federal Trade Commission is the most likely agency, though nothing has yet been confirmed. In Europe, it's more complicated. Because the data breach happened before the region's new data protection standards came into force, any of the Continent's more than 30 national privacy regulators can have a go, as long as they receive a complaint from one of their citizens. Oh boy.

You can’t get away from the Facebook link: Google, which privately had been crowing about its own privacy protections before this week's revelations, is adamant that this scandal is different to Facebook's own Cambridge Analytica — and subsequent data breach — woes. That may be the case, at least on paper.

But you have a large tech company that’s collecting lots of personal data, mishandling it, and third-party actors gaining access to it, often by accident.

As the expression goes, if it swims like a duck and quacks like a duck, then it probably is a (privacy scandal) duck.